On April 18, 2019, the US Department of Health and Human Services (HHS) Office for Civil Rights issued five new FAQs addressing the applicability of HIPAA to the use of software apps that receive health information. This guidance was released in recognition of expanding e-health technology and the increased use of health apps by patients on mobile devices such as smartphones and watches.
The HHS clarified that, if a patient requests to receive their ePHI on a third-party health app that was not provided by or on behalf of the covered entity, the covered entity is not liable under HIPAA for any breach or impermissible disclosure. The individual’s right of access includes the right to request the covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. If a covered entity transmits ePHI––at the patient’s direction––to an app via an unsecure manner or channel, the covered entity is not responsible for unauthorized access during the transmission, although the entity may wish to counsel the patient about the risk of unauthorized access.
By contrast, if a health care app was developed for or provided by or on behalf of a covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, then a business-associate relationship exists between the covered entity and the app developer, and the covered entity could be liable for an impermissible disclosure of ePHI. If the covered entity contracts with the app developer and provides the app to its patients for remote management, monitoring, or other purposes, the covered entity is subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.
The new FAQs are available here under the “Access Right, Apps, and APIs” heading. These new FAQs provide important HIPAA guidance for covered entities, EHR developers, and app developers. Patients are demanding greater data accessibility and convenience through wearables and health-tracking apps, and covered entities must be cognizant of HIPAA compliance when sharing health information via these new technologies.
If you have questions regarding the information presented in this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.